EXECUTIVE SUMMARY:
A reflected cross-site scripting (XSS) vulnerability has been identified CVE-2026-33209 in the Avo interface, specifically within the return_to query parameter, allowing attackers to craft malicious URLs that inject arbitrary JavaScript code. When a victim interacts with a dynamically generated navigation element, the injected script is executed in the context of the application, potentially leading to session hijacking, unauthorized actions, or data exposure. The exploitation scenario varies depending on deployment configurations, where unauthenticated environments are more susceptible through crafted links, while authenticated setups require user interaction. This vulnerability highlights risks associated with improper input handling and insufficient output sanitization, enabling attackers to bypass security controls and execute client-side payloads within trusted application contexts. The vulnerability has a CVSS score of 5.3.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: